Method and system to secure and dynamically share IOT information cross multiple platforms in 5G network

ABSTRACT

A device includes a processor having a trusted security zone and trusted memory communicatively coupled to the trusted security zone to form a trusted execution environment (TEE) in which trusted applications operate. The trusted memory has a common repository. The device includes memory storing instructions that cause the processor to effectuate operations. The operations include receiving, from a first trusted application of the trusted applications, a first application data and storing the first application data in the common repository. The operations include determining that a second trusted application of the trusted applications has permission to access the first application data based on a policy module of the TEE and allowing the second trusted application to access the first application data.

TECHNICAL FIELD

This disclosure is related generally to managing access to secure datain a device and, more specifically, to selecting a network configurationbased on the secure data.

BACKGROUND

Sensory internet of things (TOT) devices may use a network-connecteddevice, such as a smart phone or a tablet, to connect to theirrespective servers. For example, IOT devices may communicate with thenetwork-connected devices via Bluetooth® or near-field communication(NFC) technologies. The data from the IOT devices may be encrypted onthe network-connected device. Further, this encrypted data may be storedin the trusted execution environment (TEE) of the network-connecteddevice.

The storage capacity of the TEE does not include a common repository inwhich an application can access encrypted data of another applicationstored in the TEE. Thus, data sharing between trusted applications andnetwork resources unaffiliated with that encrypted data may berestricted or impossible.

SUMMARY

In an aspect, this disclose is directed to a device. The device mayinclude a processor having a trusted security zone and trusted memorycommunicatively coupled to the trusted security zone to form a TEE inwhich trusted applications operate. The trusted memory may have a commonrepository. The device may include memory storing instructions thatcause the processor to effectuate operations. The operations may includereceiving, from a first trusted application of the trusted applications,a first application data and storing the first application data in thecommon repository. The operations may include determining that a secondtrusted application of the trusted applications has permission to accessthe first application data based on a policy module of the TEE andallowing the second trusted application to access the first applicationdata.

In another aspect, this disclosure is directed to an apparatus. Theapparatus may include a processor having a trusted security zone and atrusted memory communicatively coupled to the trusted security zone toform a TEE. Trusted applications may operate in the TEE. The trustedmemory may have a common repository. The apparatus may include memorystoring instructions that cause the processor to effectuate operations.The operations may include receiving, from a first trusted applicationof the trusted applications, a first application data and storing thefirst application data in the common repository. The operations may alsoinclude controlling access to the first application data by a secondtrusted application of the trusted applications based on a policy moduleof the TEE. The operations may include communicating an indication ofthe first application data to a network manager of a network. Based onthe indication, the network manager may assign the device to a networkslice of the network.

According to another aspect, this disclosure is directed to a method.The method may include receiving a first application data from a firsttrusted application operating in a TEE of a device. The method mayinclude storing the first application data in a common repository of theTEE and receiving a request to access the first application data from asecond trusted application operating in the TEE. The method may alsoinclude determining whether the second trusted application has access tothe first application data based on a policy module. The method mayinclude based on the second trusted application accessing the firstapplication data, communicating an indication of the first applicationdata to a network manager of a network. Based on the indication, thenetwork manager may assign the device to a network slice of the network.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following description, for purposes of explanation, numerousspecific details are set forth in order to provide an understanding ofthe variations in implementing the disclosed technology. However, theinstant disclosure may take many different forms and should not beconstrued as limited to the examples set forth herein. Where practical,like numbers refer to like elements throughout.

FIG. 1A is a schematic of an architecture of an exemplary device havinga TEE.

FIG. 1B illustrates an exemplary system that controls access to trustedapplication data.

FIG. 2 is an flowchart of an exemplary method for controlling access todata in TEE.

FIG. 3 is a schematic of an exemplary device that may be a component ofthe system of FIG. 1B.

FIG. 4 illustrates a functional block diagram depicting one example ofan LTE-EPS network architecture.

FIG. 5 depicts an exemplary diagrammatic representation of a machine inthe form of a computer system 500

FIG. 6 is a diagram of an exemplary telecommunications system in whichthe disclosed systems or methods may be implemented.

FIG. 7 is an example system diagram of a radio access network and a corenetwork upon which an application may be deployed using the disclosedsystems or methods.

FIG. 8 illustrates an architecture of a typical GPRS network 900 asdescribed herein.

FIG. 9 illustrates a PLMN block diagram view of an example architecturethat may be replaced by a telecommunications system.

DETAILED DESCRIPTION

FIG. 1A illustrates an exemplary architecture of device 100. Generally,device 100 may be a computing device adaptable to connect to andcommunicate with a network. For example, device 100 may be a userdevice, such as a smart phone, tablet, desktop computer, or laptopcomputer.

Device 100 may have multiple computing environments. Each computingenvironment may compare a set of hardware and software components tosupport the respective applications that operate in that environment.The environments may include an operating system (OS) environment 102and a TEE 104. For example, OS environment 102 may be the environmentdefined by the OS of device 100. This may be referred to as the normalenvironment or the rich OS environment. For example, OS environment 102may include OS 106, such as a mobile OS or the like. Additionally, oneor more common applications 108, such as client applications may operatewithin OS environment 102.

TEE 104 may comprise a secure area of a main processor of device 100. Itmay provide hardware-based isolation from OS environment 102. TEE 104may be used to isolate and protect code and data loaded within TEE 104to maintain the confidentiality of such code and data, and to preventsuch code or data from being tampered with or otherwise compromised. Forexample, by restricting which applications may run or access TEE 104,TEE 104 may be protected from interference by malware. For example,access to TEE 104 from outside of TEE 104, such as from OS environment102 or from another device external to device 100, may be restricted. ATEE kernel 110 may control operations of TEE 104 and elements of TEE104. For example, TEE 104 may include trusted applications 112 thatoperate and store data within TEE. For example, a trusted application112 may be one that requires certain heightened security, such asidentification-based access (e.g., fingerprint authorization, voicerecognition authorization) and mobile commerce applications (e.g.,mobile wallets, peer-to-peer payment technology) may particularlybenefit from the heightened security of TEE 104. For example, trustedapplications 112 may include applications for interfacing with internetof things (TOT) devices, such as security applications for controllinghome security technologies, wearable device applications for interfacingwith wearable devices, network connectivity applications for connectingto communication networks, or the like. The type or function of trustedapplications 112 may not be what distinguishes trusted applications 112from common applications 108. The difference may be that trustedapplications 112 operate in TEE 104, and common applications 108 operatein OS environment 102.

Common application 108 and trusted applications 112 may generate orstore data within device 100. For example, common applications 108 maystore data in (or accessible through) OS environment 102, while trustedapplications 112 may store data in (or accessible through) TEE 104.Because of the secure nature of TEE 104, each trusted application 112may have a designated memory for storing its data, such that only thattrusted application 112 may access that memory designated to thattrusted application 112. Restricting access to trusted-application datato the trusted application 112 from which it originated may have certainsecurity advantages. However, within TEE 104, and with trusted externaldevices, it may be advantageous to share data generated by a firsttrusted application 112 with other trusted applications 112 or otherexternal devices.

Thus, TEE 104 may include a common repository 114 in which at least somedata generated or stored by trusted applications 112 may be accessibleto other trusted applications 112. Access to common repository 114 (andto certain data stored within common repository 114) may be controlledby a policy module 116. For example, policy module 116 may includecertain policies (or rules) that restrict access to application databased on one or more factors, such as the identity of a source (e.g.,trusted application 112 or external device) that stored application datain common repository 114, the identity of the element (e.g., trustedapplication 112 or external device) seeking access to the applicationdata in common repository 114, a type of the application data, alocation of the application data within common repository 114, or anyother characteristic, such as a time of day, a network connectionstatus, a battery power level, which trusted (or common) applicationsare actively running (as opposed to running in the background of device100) or the like.

The policies of policy module 116 may include policies from one or moresources. For example, user-preference policies may be those policiesselected by a user that dictates what data is being shared and withwhich elements that data is being shared. User-preference policies maybe changed dynamically. That is, a user may change a user-preferencepolicy by updating their preference. Further, these policies may bebased on one or more factors or originate in one or more ways. Forexample, when a user links a wearable device, such as a fitness monitor,to device 100, a prompt may ask a user to indicate which trustedapplications 112 (if any) that user wishes to have access to that dataand under what circumstances that access should be permitted or denied.For example, a user may indicate that any global positioning system(GPS) information received on device 100 may be shared with anothertrusted application 112, such as one that facilitates a particularwearable device of the user. For example, by sharing GPS informationgenerated by GPS chip on device 100, the need for a wearable device,such as a fitness device that tracks movement, to have a GPS chip (e.g.,to map the user's runs to a geographic map) may be eliminated.

As another example, policies of policy module 116 may includeservice-agreed rules. A service-agreed rule may be a policy thatacceptance of which by the user is required by a service provider toprovide that certain service. For example, a service provider mayrequire that access to any data collected or generated by its trustedapplication 112 be restricted to only other trusted applications 112 ofthat service provider, or that specific trusted applications 112 (suchas those trusted applications 112 of a competitor of that serviceprovider) be specifically excluded from accessing data generated orstored by the service provider's trusted application 112. As anotherexample, a service-agreed rule may be a policy that requires the serviceprovider's trusted application 112 to access certain application data ofother trusted applications.

As another example, policies of policy module 116 may includecarrier-related policies. For example, a telecommunications carrier mayrestrict or control access to data from its trusted applications.Conversely, a telecommunications carrier may require, as a condition ofproviding access to the telecommunications network, access to certainapplication data of other trusted applications 112. Similarly, atelecommunications carrier may provide incentives for a user to agree tooptional carrier-related policies, such as increased quality of service,decreased costs, or other incentives.

As another example, policy module 116 may include healthcare informationpolicies. For example, certain healthcare information may be subject toprivacy laws and regulations, such as the Health Insurance Portabilityand Accountability ACT (HIPAA). This information may have certain legalrestrictions that limit how such information may be shared. Additionallyor alternatively, certain legal may dictate minimum security measures toprotect such information. For trusted application data that includesinformation subject to such regulations, policies of policy module 116may limit how such application data is shared, even among trustedapplications 112.

Policy module 116 may have a certain hierarchy in which certain policiesare applied. For example, if a service-agreed rule requires that certainapplication data be shared, but a healthcare information policyprohibits sharing that information without a user preference indicatingthat the user has authorized such information to be shared, then policymodule may override the service-agreed rule—which may or may not have aneffect on the services provided by that service provider—and deny accessto the healthcare information by that trusted application 112.Alternatively or additionally, the user may be prompted to grant thehealthcare information-related permissions to eliminate this conflict ofpolicies.

Policy module 116 may directly or indirectly control access to a secureelement 118 of TEE 104. For example, secure element 118 may storeencryption keys and codes. This information may be used to decrypt oraccess certain application data stored in common repository 114. Policymodule 116 may control access to secure element 118 using the same ordifferent policies as those used to control access to common repository114.

In certain circumstances, it may be advantageous for TEE 104 and OSenvironment 102 (or elements within each) to communicate with oneanother. Thus, device 100 may include application programming interfaces(APIs) to facilitate such communication. For example, within TEE 102there may exist a TEE internal API 120. Within OS environment 102, theremay exist a TEE client API 122. Communications can be facilitated andrestricted in according with APIs 120 and 122.

FIG. 1B illustrates an exemplary system 130 in which device 100 mayoperate. For clarity only, device 100 as depicted in FIG. 1B includesless than all of the elements as depicted in FIG. 1A. The lack ofdepiction of certain elements from one or more of the figures should notbe interpreted to indicate that such elements are not present. FIG. 1Billustrates communications between TEE 104 of device 100 and externalelements.

As discussed above with respect to FIG. 1A, trusted applications 112 maybe affiliated with one or more connected devices 132, such as healthcaremonitors, fitness monitors, smartwatches, navigation tools, wearables,implants, or other IOT devices. Such connected devices 132 may link todevice 100 via Bluetooth® or NFC technologies, wired connections, orother wireless communications.

In addition to connected devices 132, trusted applications 112 may alsobe affiliated with one or more cloud services 134. For example, trustedapplication 112 a may be affiliated with connected device 132 a andconnected-device server 136 a, and trusted application 112 b may beaffiliated with connected device 132 b and connected-device server 136b. These elements may, in one or more different combinations, operate toprovide or facilitate cloud services 134.

Policy module 116 may also control access to common repository 114 fromcloud services 134 and connected-device 136. This may facilitate, if thepolicies of policy module 116 allow, cloud services 134 to benefit fromor access data generated by trusted applications 112 or connecteddevices 132 that may not be directly linked together. For example,assume that connected device 132 a comprises a fitness tracker developedby company A. The fitness tracker works in conjunction with trustedapplication 112 a to provide certain cloud services 134, such as viaconnected-device server 136 a. But if the fitness tracker lacks a GPSchip, and trusted app 112 a does not have access to this information,then cloud services 134 provided in conjunction with the fitness trackermay be unable to map, for example, the user's jogging route. However,with the use of a common repository 114, if trusted application 112 b(alone or in conjunction with connected device 132 b does have access toGPS information), then cloud services 134 provided via trustedapplication 112 a may make use of that GPS information via policy module116.

The application data stored in common repository 114 may also be used tomanage network connections of device 100. Thus, policy module 116 mayfacilitate access to such information, as permitted by the policies, tonetwork device that facilitates connecting device 100 to a network 138.For example, a network manager, such as a media gateway (MGW) 140 ofnetwork 100 may access application data stored in common repository 114.MGW 140 may slice network 100 based on the application data or itsmetadata, such as metadata indicating what application data is beingaccessed and by whom, or the like, to provide a network slice 142 fordevice 100. For example, the design of network slice 142 may depend upona variety of factors and may be intended to provide support for thespecific services device 100 is using, such as cloud services 134. Forexample, if device 100 is using network 100 for a first service thatrequires certain requirements (e.g., latency or bandwidth requirements)that differ from the requirements of a second service, network slice 142may be designed to meet those requirements of the first service, whilenot necessarily meeting other requirements of network 100 that may beused for another service that device 100 is not using at that time.

FIG. 2 illustrates an exemplary method 200 for controlling access toapplication data stored in common repository 114. For example, at step202, method 200 may include first trusted application 112 a generatingor receiving application data. For example, this data may be receivedfrom connected device 132 a. Policy module 116 may receive thatapplication data to store in common repository 114. Policy module 116may decide where to store application data within common repository 114.

At step 204, the first application data may be stored in commonrepository 114. This storage may be directed or facilitated by policymodule 116, which controls access to common repository 114. In anaspect, trusted application 112 a may choose to store certain of itsapplication data in common repository while storing other applicationdata in a memory only accessible by trusted application 112 a.

At step 206, method 200 may include determining that second trustedapplication 112 b has access to first application data based on policiesof policy module 116. These policies may operate as discussed above.This access may be permitted directly through second trusted application112 b, or it may be performed directly from connected-device server 136b, depending upon the particular policies and functionality in thatparticular implementation. Based on these policies, step 208 may includecontrolling access to the first application data by the second trustedapplication.

The results of method 200 may affect the network connections of device100. For example, certain data may be shared by policy module 116 withMGW 140 or other cloud services to indicate the requirements thatnetwork slice 142 must or may meet in order to provide certain servicesto device 100.

FIG. 3 is a block diagram of network device 300 that may be connected toor comprise a component of network 100. For example, network device 300may implement one or more portions of method 200 for placement ofnetwork components of application 102. Network device 300 may comprisehardware or a combination of hardware and software. The functionality tofacilitate telecommunications via a telecommunications network mayreside in one or combination of network devices 300. Network device 300depicted in FIG. 3 may represent or perform functionality of anappropriate network device 300, or combination of network devices 300,such as, for example, a component or various components of a cellularbroadcast system wireless network, a processor, a server, a gateway, anode, a mobile switching center (MSC), a short message service center(SMSC), an ALFS, a gateway mobile location center (GMLC), a radio accessnetwork (RAN), a serving mobile location center (SMLC), or the like, orany appropriate combination thereof. It is emphasized that the blockdiagram depicted in FIG. 3 is exemplary and not intended to imply alimitation to a specific implementation or configuration. Thus, networkdevice 300 may be implemented in a single device or multiple devices(e.g., single server or multiple servers, single gateway or multiplegateways, single controller or multiple controllers). Multiple networkentities may be distributed or centrally located. Multiple networkentities may communicate wirelessly, via hard wire, or any appropriatecombination thereof.

Network device 300 may comprise a processor 302 and a memory 304 coupledto processor 302. Memory 304 may contain executable instructions that,when executed by processor 302, cause processor 302 to effectuateoperations associated with mapping wireless signal strength. As evidentfrom the description herein, network device 300 is not to be construedas software per se.

In addition to processor 302 and memory 304, network device 300 mayinclude an input/output system 306. Processor 302, memory 304, andinput/output system 306 may be coupled together (coupling not shown inFIG. 3) to allow communications therebetween. Each portion of networkdevice 300 may comprise circuitry for performing functions associatedwith each respective portion. Thus, each portion may comprise hardware,or a combination of hardware and software. Accordingly, each portion ofnetwork device 300 is not to be construed as software per se.Input/output system 306 may be capable of receiving or providinginformation from or to a communications device or other network entitiesconfigured for telecommunications. For example input/output system 306may include a wireless communications (e.g., 3G/4G/GPS) card.Input/output system 306 may be capable of receiving or sending videoinformation, audio information, control information, image information,data, or any combination thereof. Input/output system 306 may be capableof transferring information with network device 300. In variousconfigurations, input/output system 306 may receive or provideinformation via any appropriate means, such as, for example, opticalmeans (e.g., infrared), electromagnetic means (e.g., RF, Wi-Fi,Bluetooth®, ZigBee®), acoustic means (e.g., speaker, microphone,ultrasonic receiver, ultrasonic transmitter), or a combination thereof.In an example configuration, input/output system 306 may comprise aWi-Fi finder, a two-way GPS chipset or equivalent, or the like, or acombination thereof.

Input/output system 306 of network device 300 also may contain acommunication connection 308 that allows network device 300 tocommunicate with other devices, network entities, or the like.Communication connection 308 may comprise communication media.Communication media typically embody computer-readable instructions,data structures, program modules or other data in a modulated datasignal such as a carrier wave or other transport mechanism and includesany information delivery media. By way of example, and not limitation,communication media may include wired media such as a wired network ordirect-wired connection, or wireless media such as acoustic, RF,infrared, or other wireless media. The term computer-readable media asused herein includes both storage media and communication media.Input/output system 306 also may include an input device 310 such askeyboard, mouse, pen, voice input device, or touch input device.Input/output system 306 may also include an output device 312, such as adisplay, speakers, or a printer.

Processor 302 may be capable of performing functions associated withtelecommunications, such as functions for processing broadcast messages,as described herein. For example, processor 302 may be capable of, inconjunction with any other portion of network device 300, determining atype of broadcast message and acting according to the broadcast messagetype or content, as described herein.

Memory 304 of network device 300 may comprise a storage medium having aconcrete, tangible, physical structure. As is known, a signal does nothave a concrete, tangible, physical structure. Memory 304, as well asany computer-readable storage medium described herein, is not to beconstrued as a signal. Memory 304, as well as any computer-readablestorage medium described herein, is not to be construed as a transientsignal. Memory 304, as well as any computer-readable storage mediumdescribed herein, is not to be construed as a propagating signal. Memory304, as well as any computer-readable storage medium described herein,is to be construed as an article of manufacture.

Memory 304 may store any information utilized in conjunction withtelecommunications. Depending upon the exact configuration or type ofprocessor, memory 304 may include a volatile storage 314 (such as sometypes of RAM), a nonvolatile storage 316 (such as ROM, flash memory), ora combination thereof. Memory 304 may include additional storage (e.g.,a removable storage 318 or a nonremovable storage 320) including, forexample, tape, flash memory, smart cards, CD-ROM, DVD, or other opticalstorage, magnetic cassettes, magnetic tape, magnetic disk storage orother magnetic storage devices, USB-compatible memory, or any othermedium that can be used to store information and that can be accessed bynetwork device 300. Memory 304 may comprise executable instructionsthat, when executed by processor 302, cause processor 302 to effectuateoperations to map signal strengths in an area of interest.

FIG. 4 illustrates a functional block diagram depicting one example ofan LTE-EPS network architecture 400 that may be at least partiallyimplemented as using virtualized functions. Network architecture 400disclosed herein is referred to as a modified LTE-EPS architecture 400to distinguish it from a traditional LTE-EPS architecture.

An example modified LTE-EPS architecture 400 is based at least in parton standards developed by the 3rd Generation Partnership Project (3GPP),with information available at www.3gpp.org. LTE-EPS network architecture400 may include an access network 402, a core network 404, e.g., an EPCor Common BackBone (CBB) and one or more external networks 406,sometimes referred to as PDN or peer entities. Different externalnetworks 406 can be distinguished from each other by a respectivenetwork identifier, e.g., a label according to DNS naming conventionsdescribing an access point to the PDN. Such labels can be referred to asAccess Point Names (APN). External networks 406 can include one or moretrusted and non-trusted external networks such as an internet protocol(IP) network 408, an IP multimedia subsystem (IMS) network 410, andother networks 412, such as a service network, a corporate network, orthe like. In an aspect, access network 402, core network 404, orexternal network 405 may include or communicate with network 100.

Access network 402 can include an LTE network architecture sometimesreferred to as Evolved Universal mobile Telecommunication systemTerrestrial Radio Access (E UTRA) and evolved UMTS Terrestrial RadioAccess Network (E-UTRAN). Broadly, access network 402 can include one ormore communication devices, commonly referred to as UE 414, and one ormore wireless access nodes, or base stations 416 a, 416 b. Duringnetwork operations, at least one base station 416 communicates directlywith UE 414. Base station 416 can be an evolved Node B (e-NodeB), withwhich UE 414 communicates over the air and wirelessly. UEs 414 caninclude, without limitation, wireless devices, e.g., satellitecommunication systems, portable digital assistants (PDAs), laptopcomputers, tablet devices and other mobile devices (e.g., cellulartelephones, smart appliances, and so on). UEs 414 can connect to eNBs416 when UE 414 is within range according to a corresponding wirelesscommunication technology.

UE 414 generally runs one or more applications that engage in a transferof packets between UE 414 and one or more external networks 406. Suchpacket transfers can include one of downlink packet transfers fromexternal network 406 to UE 414, uplink packet transfers from UE 414 toexternal network 406 or combinations of uplink and downlink packettransfers. Applications can include, without limitation, web browsing,VoIP, streaming media and the like. Each application can pose differentQuality of Service (QoS) requirements on a respective packet transfer.Different packet transfers can be served by different bearers withincore network 404, e.g., according to parameters, such as the QoS.

Core network 404 uses a concept of bearers, e.g., EPS bearers, to routepackets, e.g., IP traffic, between a particular gateway in core network404 and UE 414. A bearer refers generally to an IP packet flow with adefined QoS between the particular gateway and UE 414. Access network402, e.g., E UTRAN, and core network 404 together set up and releasebearers as required by the various applications. Bearers can beclassified in at least two different categories: (i) minimum guaranteedbit rate bearers, e.g., for applications, such as VoIP; and (ii)non-guaranteed bit rate bearers that do not require guarantee bit rate,e.g., for applications, such as web browsing.

In one embodiment, the core network 404 includes various networkentities, such as MME 418, SGW 420, Home Subscriber Server (HSS) 422,Policy and Charging Rules Function (PCRF) 424 and PGW 426. In oneembodiment, MME 418 comprises a control node performing a controlsignaling between various equipment and devices in access network 402and core network 404. The protocols running between UE 414 and corenetwork 404 are generally known as Non-Access Stratum (NAS) protocols.

For illustration purposes only, the terms MME 418, SGW 420, HSS 422 andPGW 426, and so on, can be server devices, but may be referred to in thesubject disclosure without the word “server.” It is also understood thatany form of such servers can operate in a device, system, component, orother form of centralized or distributed hardware and software. It isfurther noted that these terms and other terms such as bearer pathsand/or interfaces are terms that can include features, methodologies,and/or fields that may be described in whole or in part by standardsbodies such as the 3GPP. It is further noted that some or allembodiments of the subject disclosure may in whole or in part modify,supplement, or otherwise supersede final or proposed standards publishedand promulgated by 3GPP.

According to traditional implementations of LTE-EPS architectures, SGW420 routes and forwards all user data packets. SGW 420 also acts as amobility anchor for user plane operation during handovers between basestations, e.g., during a handover from first eNB 416 a to second eNB 416b as may be the result of UE 414 moving from one area of coverage, e.g.,cell, to another. SGW 420 can also terminate a downlink data path, e.g.,from external network 406 to UE 414 in an idle state, and trigger apaging operation when downlink data arrives for UE 414. SGW 420 can alsobe configured to manage and store a context for UE 414, e.g., includingone or more of parameters of the IP bearer service and network internalrouting information. In addition, SGW 420 can perform administrativefunctions, e.g., in a visited network, such as collecting informationfor charging (e.g., the volume of data sent to or received from theuser), and/or replicate user traffic, e.g., to support a lawfulinterception. SGW 420 also serves as the mobility anchor forinterworking with other 3GPP technologies such as universal mobiletelecommunication system (UMTS).

At any given time, UE 414 is generally in one of three different states:detached, idle, or active. The detached state is typically a transitorystate in which UE 414 is powered on but is engaged in a process ofsearching and registering with network 402. In the active state, UE 414is registered with access network 402 and has established a wirelessconnection, e.g., radio resource control (RRC) connection, with eNB 416.Whether UE 414 is in an active state can depend on the state of a packetdata session, and whether there is an active packet data session. In theidle state, UE 414 is generally in a power conservation state in whichUE 414 typically does not communicate packets. When UE 414 is idle, SGW420 can terminate a downlink data path, e.g., from one peer entity, andtriggers paging of UE 414 when data arrives for UE 414. If UE 414responds to the page, SGW 420 can forward the IP packet to eNB 416 a.

HSS 422 can manage subscription-related information for a user of UE414. For example, tHSS 422 can store information such as authorizationof the user, security requirements for the user, quality of service(QoS) requirements for the user, etc. HSS 422 can also hold informationabout external networks 406 to which the user can connect, e.g., in theform of an APN of external networks 406. For example, MME 418 cancommunicate with HSS 422 to determine if UE 414 is authorized toestablish a call, e.g., a voice over IP (VoIP) call before the call isestablished.

PCRF 424 can perform QoS management functions and policy control. PCRF424 is responsible for policy control decision-making, as well as forcontrolling the flow-based charging functionalities in a policy controlenforcement function (PCEF), which resides in PGW 426. PCRF 424 providesthe QoS authorization, e.g., QoS class identifier and bit rates thatdecide how a certain data flow will be treated in the PCEF and ensuresthat this is in accordance with the user's subscription profile.

PGW 426 can provide connectivity between the UE 414 and one or more ofthe external networks 406. In illustrative network architecture 400, PGW426 can be responsible for IP address allocation for UE 414, as well asone or more of QoS enforcement and flow-based charging, e.g., accordingto rules from the PCRF 424. PGW 426 is also typically responsible forfiltering downlink user IP packets into the different QoS-based bearers.In at least some embodiments, such filtering can be performed based ontraffic flow templates. PGW 426 can also perform QoS enforcement, e.g.,for guaranteed bit rate bearers. PGW 426 also serves as a mobilityanchor for interworking with non-3GPP technologies such as CDMA2000.

Within access network 402 and core network 404 there may be variousbearer paths/interfaces, e.g., represented by solid lines 428 and 430.Some of the bearer paths can be referred to by a specific label. Forexample, solid line 428 can be considered an S1-U bearer and solid line432 can be considered an S5/S8 bearer according to LTE-EPS architecturestandards. Without limitation, reference to various interfaces, such asS1, X2, S5, S8, S11 refer to EPS interfaces. In some instances, suchinterface designations are combined with a suffix, e.g., a “U” or a “C”to signify whether the interface relates to a “User plane” or a “Controlplane.” In addition, the core network 404 can include various signalingbearer paths/interfaces, e.g., control plane paths/interfacesrepresented by dashed lines 430, 434, 436, and 438. Some of thesignaling bearer paths may be referred to by a specific label. Forexample, dashed line 430 can be considered as an Sl-MME signalingbearer, dashed line 434 can be considered as an S11 signaling bearer anddashed line 436 can be considered as an Sha signaling bearer, e.g.,according to LTE-EPS architecture standards. The above bearer paths andsignaling bearer paths are only illustrated as examples and it should benoted that additional bearer paths and signaling bearer paths may existthat are not illustrated.

Also shown is a novel user plane path/interface, referred to as theS1-U+ interface 466. In the illustrative example, the S1-U+ user planeinterface extends between the eNB 416 a and PGW 426. Notably, S1-U+path/interface does not include SGW 420, a node that is otherwiseinstrumental in configuring and/or managing packet forwarding betweeneNB 416 a and one or more external networks 406 by way of PGW 426. Asdisclosed herein, the S1-U+ path/interface facilitates autonomouslearning of peer transport layer addresses by one or more of the networknodes to facilitate a self-configuring of the packet forwarding path. Inparticular, such self-configuring can be accomplished during handoversin most scenarios so as to reduce any extra signaling load on the S/PGWs420, 426 due to excessive handover events.

In some embodiments, PGW 426 is coupled to storage device 440, shown inphantom. Storage device 440 can be integral to one of the network nodes,such as PGW 426, for example, in the form of internal memory and/or diskdrive. It is understood that storage device 440 can include registerssuitable for storing address values. Alternatively or in addition,storage device 440 can be separate from PGW 426, for example, as anexternal hard drive, a flash drive, and/or network storage.

Storage device 440 selectively stores one or more values relevant to theforwarding of packet data. For example, storage device 440 can storeidentities and/or addresses of network entities, such as any of networknodes 418, 420, 422, 424, and 426, eNBs 416 and/or UE 414. In theillustrative example, storage device 440 includes a first storagelocation 442 and a second storage location 444. First storage location442 can be dedicated to storing a Currently Used Downlink address value442. Likewise, second storage location 444 can be dedicated to storing aDefault Downlink Forwarding address value 444. PGW 426 can read and/orwrite values into either of storage locations 442, 444, for example,managing Currently Used Downlink Forwarding address value 442 andDefault Downlink Forwarding address value 444 as disclosed herein.

In some embodiments, the Default Downlink Forwarding address for eachEPS bearer is the SGW S5−U address for each EPS Bearer. The CurrentlyUsed Downlink Forwarding address” for each EPS bearer in PGW 426 can beset every time when PGW 426 receives an uplink packet, e.g., a GTP-Uuplink packet, with a new source address for a corresponding EPS bearer.When UE 414 is in an idle state, the “Current Used Downlink Forwardingaddress” field for each EPS bearer of UE 414 can be set to a “null” orother suitable value.

In some embodiments, the Default Downlink Forwarding address is onlyupdated when PGW 426 receives a new SGW S5-U address in a predeterminedmessage or messages. For example, the Default Downlink Forwardingaddress is only updated when PGW 426 receives one of a Create SessionRequest, Modify Bearer Request and Create Bearer Response messages fromSGW 420.

As values 442, 444 can be maintained and otherwise manipulated on a perbearer basis, it is understood that the storage locations can take theform of tables, spreadsheets, lists, and/or other data structuresgenerally well understood and suitable for maintaining and/or otherwisemanipulate forwarding addresses on a per bearer basis.

It should be noted that access network 402 and core network 404 areillustrated in a simplified block diagram in FIG. 4. In other words,either or both of access network 402 and the core network 404 caninclude additional network elements that are not shown, such as variousrouters, switches and controllers. In addition, although FIG. 4illustrates only a single one of each of the various network elements,it should be noted that access network 402 and core network 404 caninclude any number of the various network elements. For example, corenetwork 404 can include a pool (i.e., more than one) of MMEs 418, SGWs420 or PGWs 426.

In the illustrative example, data traversing a network path between UE414, eNB 416 a, SGW 420, PGW 426 and external network 406 may beconsidered to constitute data transferred according to an end-to-end IPservice. However, for the present disclosure, to properly performestablishment management in LTE-EPS network architecture 400, the corenetwork, data bearer portion of the end-to-end IP service is analyzed.

An establishment may be defined herein as a connection set up requestbetween any two elements within LTE-EPS network architecture 400. Theconnection set up request may be for user data or for signaling. Afailed establishment may be defined as a connection set up request thatwas unsuccessful. A successful establishment may be defined as aconnection set up request that was successful.

In one embodiment, a data bearer portion comprises a first portion(e.g., a data radio bearer 446) between UE 414 and eNB 416 a, a secondportion (e.g., an S1 data bearer 428) between eNB 416 a and SGW 420, anda third portion (e.g., an S5/S8 bearer 432) between SGW 420 and PGW 426.Various signaling bearer portions are also illustrated in FIG. 4. Forexample, a first signaling portion (e.g., a signaling radio bearer 448)between UE 414 and eNB 416 a, and a second signaling portion (e.g., S1signaling bearer 430) between eNB 416 a and MME 418.

In at least some embodiments, the data bearer can include tunneling,e.g., IP tunneling, by which data packets can be forwarded in anencapsulated manner, between tunnel endpoints. Tunnels, or tunnelconnections can be identified in one or more nodes of network 100, e.g.,by one or more of tunnel endpoint identifiers, an IP address and a userdatagram protocol port number. Within a particular tunnel connection,payloads, e.g., packet data, which may or may not include protocolrelated information, are forwarded between tunnel endpoints.

An example of first tunnel solution 450 includes a first tunnel 452 abetween two tunnel endpoints 454 a and 456 a, and a second tunnel 452 bbetween two tunnel endpoints 454 b and 456 b. In the illustrativeexample, first tunnel 452 a is established between eNB 416 a and SGW420. Accordingly, first tunnel 452 a includes a first tunnel endpoint454 a corresponding to an S1−U address of eNB 416 a (referred to hereinas the eNB S1−U address), and second tunnel endpoint 456 a correspondingto an S1−U address of SGW 420 (referred to herein as the SGW S1-Uaddress). Likewise, second tunnel 452 b includes first tunnel endpoint454 b corresponding to an S5-U address of SGW 420 (referred to herein asthe SGW S5-U address), and second tunnel endpoint 456 b corresponding toan S5-U address of PGW 426 (referred to herein as the PGW S5-U address).

In at least some embodiments, first tunnel solution 450 is referred toas a two tunnel solution, e.g., according to the GPRS Tunneling ProtocolUser Plane (GTPv1-U based), as described in 3GPP specification TS29.281, incorporated herein in its entirety. It is understood that oneor more tunnels are permitted between each set of tunnel end points. Forexample, each subscriber can have one or more tunnels, e.g., one foreach PDP context that they have active, as well as possibly havingseparate tunnels for specific connections with different quality ofservice requirements, and so on.

An example of second tunnel solution 458 includes a single or directtunnel 460 between tunnel endpoints 462 and 464. In the illustrativeexample, direct tunnel 460 is established between eNB 416 a and PGW 426,without subjecting packet transfers to processing related to SGW 420.Accordingly, direct tunnel 460 includes first tunnel endpoint 462corresponding to the eNB S1−U address, and second tunnel endpoint 464corresponding to the PGW S5-U address. Packet data received at eitherend can be encapsulated into a payload and directed to the correspondingaddress of the other end of the tunnel. Such direct tunneling avoidsprocessing, e.g., by SGW 420 that would otherwise relay packets betweenthe same two endpoints, e.g., according to a protocol, such as the GTP-Uprotocol.

In some scenarios, direct tunneling solution 458 can forward user planedata packets between eNB 416 a and PGW 426, by way of SGW 420. That is,SGW 420 can serve a relay function, by relaying packets between twotunnel endpoints 416 a, 426. In other scenarios, direct tunnelingsolution 458 can forward user data packets between eNB 416 a and PGW426, by way of the S1 U+ interface, thereby bypassing SGW 420.

Generally, UE 414 can have one or more bearers at any one time. Thenumber and types of bearers can depend on applications, defaultrequirements, and so on. It is understood that the techniques disclosedherein, including the configuration, management and use of varioustunnel solutions 450, 458, can be applied to the bearers on anindividual bases. That is, if user data packets of one bearer, say abearer associated with a VoIP service of UE 414, then the forwarding ofall packets of that bearer are handled in a similar manner. Continuingwith this example, the same UE 414 can have another bearer associatedwith it through the same eNB 416 a. This other bearer, for example, canbe associated with a relatively low rate data session forwarding userdata packets through core network 404 simultaneously with the firstbearer. Likewise, the user data packets of the other bearer are alsohandled in a similar manner, without necessarily following a forwardingpath or solution of the first bearer. Thus, one of the bearers may beforwarded through direct tunnel 458; whereas, another one of the bearersmay be forwarded through a two-tunnel solution 450.

FIG. 5 depicts an exemplary diagrammatic representation of a machine inthe form of a computer system 500 within which a set of instructions,when executed, may cause the machine to perform any one or more of themethods described above. One or more instances of the machine canoperate, for example, as processor 302, UE 414, eNB 416, MME 418, SGW420, HSS 422, PCRF 424, PGW 426 and other devices of FIGS. 1, 2, and 4.In some embodiments, the machine may be connected (e.g., using a network502) to other machines. In a networked deployment, the machine mayoperate in the capacity of a server or a client user machine in aserver-client user network environment, or as a peer machine in apeer-to-peer (or distributed) network environment.

The machine may comprise a server computer, a client user computer, apersonal computer (PC), a tablet, a smart phone, a laptop computer, adesktop computer, a control system, a network router, switch or bridge,or any machine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. It will beunderstood that a communication device of the subject disclosureincludes broadly any electronic device that provides voice, video ordata communication. Further, while a single machine is illustrated, theterm “machine” shall also be taken to include any collection of machinesthat individually or jointly execute a set (or multiple sets) ofinstructions to perform any one or more of the methods discussed herein.

Computer system 500 may include a processor (or controller) 504 (e.g., acentral processing unit (CPU)), a graphics processing unit (GPU, orboth), a main memory 506 and a static memory 508, which communicate witheach other via a bus 510. The computer system 500 may further include adisplay unit 512 (e.g., a liquid crystal display (LCD), a flat panel, ora solid state display). Computer system 500 may include an input device514 (e.g., a keyboard), a cursor control device 516 (e.g., a mouse), adisk drive unit 518, a signal generation device 520 (e.g., a speaker orremote control) and a network interface device 522. In distributedenvironments, the embodiments described in the subject disclosure can beadapted to utilize multiple display units 512 controlled by two or morecomputer systems 500. In this configuration, presentations described bythe subject disclosure may in part be shown in a first of display units512, while the remaining portion is presented in a second of displayunits 512.

The disk drive unit 518 may include a tangible computer-readable storagemedium 524 on which is stored one or more sets of instructions (e.g.,software 526) embodying any one or more of the methods or functionsdescribed herein, including those methods illustrated above.Instructions 526 may also reside, completely or at least partially,within main memory 506, static memory 508, or within processor 504during execution thereof by the computer system 500. Main memory 506 andprocessor 504 also may constitute tangible computer-readable storagemedia.

As shown in FIG. 6, telecommunication system 600 may include wirelesstransmit/receive units (WTRUs) 602, a RAN 604, a core network 606, apublic switched telephone network (PSTN) 608, the Internet 610, or othernetworks 612, though it will be appreciated that the disclosed examplescontemplate any number of WTRUs, base stations, networks, or networkelements. Each WTRU 602 may be any type of device configured to operateor communicate in a wireless environment. For example, a WTRU maycomprise a mobile device, network device 300, or the like, or anycombination thereof. By way of example, WTRUs 602 may be configured totransmit or receive wireless signals and may include a UE, a mobilestation, a mobile device, a fixed or mobile subscriber unit, a pager, acellular telephone, a PDA, a smartphone, a laptop, a netbook, a personalcomputer, a wireless sensor, consumer electronics, or the like. WTRUs602 may be configured to transmit or receive wireless signals over anair interface 614.

Telecommunication system 600 may also include one or more base stations616. Each of base stations 616 may be any type of device configured towirelessly interface with at least one of the WTRUs 602 to facilitateaccess to one or more communication networks, such as core network 606,PTSN 608, Internet 610, or other networks 612. By way of example, basestations 616 may be a base transceiver station (BTS), a Node-B, an eNodeB, a Home Node B, a Home eNode B, a site controller, an access point(AP), a wireless router, or the like. While base stations 616 are eachdepicted as a single element, it will be appreciated that base stations616 may include any number of interconnected base stations or networkelements.

RAN 604 may include one or more base stations 616, along with othernetwork elements (not shown), such as a base station controller (BSC), aradio network controller (RNC), or relay nodes. One or more basestations 616 may be configured to transmit or receive wireless signalswithin a particular geographic region, which may be referred to as acell (not shown). The cell may further be divided into cell sectors. Forexample, the cell associated with base station 616 may be divided intothree sectors such that base station 616 may include three transceivers:one for each sector of the cell. In another example, base station 616may employ multiple-input multiple-output (MIMO) technology and,therefore, may utilize multiple transceivers for each sector of thecell.

Base stations 616 may communicate with one or more of WTRUs 602 over airinterface 614, which may be any suitable wireless communication link(e.g., RF, microwave, infrared (IR), ultraviolet (UV), or visiblelight). Air interface 614 may be established using any suitable radioaccess technology (RAT).

More specifically, as noted above, telecommunication system 600 may be amultiple access system and may employ one or more channel accessschemes, such as CDMA, TDMA, FDMA, OFDMA, SC-FDMA, or the like. Forexample, base station 616 in RAN 604 and WTRUs 602 connected to RAN 604may implement a radio technology such as Universal MobileTelecommunications System (UMTS) Terrestrial Radio Access (UTRA) thatmay establish air interface 614 using wideband CDMA (WCDMA). WCDMA mayinclude communication protocols, such as High-Speed Packet Access (HSPA)or Evolved HSPA (HSPA+). HSPA may include High-Speed Downlink PacketAccess (HSDPA) or High-Speed Uplink Packet Access (HSUPA).

As another example base station 616 and WTRUs 602 that are connected toRAN 604 may implement a radio technology such as Evolved UMTSTerrestrial Radio Access (E-UTRA), which may establish air interface 614using LTE or LTE-Advanced (LTE-A).

Optionally base station 616 and WTRUs 602 connected to RAN 604 mayimplement radio technologies such as IEEE 602.16 (i.e., WorldwideInteroperability for Microwave Access (WiMAX)), CDMA2000, CDMA2000 1×,CDMA2000 EV-DO, Interim Standard 2000 (IS-2000), Interim Standard 95(IS-95), Interim Standard 856 (IS-856), GSM, Enhanced Data rates for GSMEvolution (EDGE), GSM EDGE (GERAN), or the like.

Base station 616 may be a wireless router, Home Node B, Home eNode B, oraccess point, for example, and may utilize any suitable RAT forfacilitating wireless connectivity in a localized area, such as a placeof business, a home, a vehicle, a campus, or the like. For example, basestation 616 and associated WTRUs 602 may implement a radio technologysuch as IEEE 602.11 to establish a wireless local area network (WLAN).As another example, base station 616 and associated WTRUs 602 mayimplement a radio technology such as IEEE 602.15 to establish a wirelesspersonal area network (WPAN). In yet another example, base station 616and associated WTRUs 602 may utilize a cellular-based RAT (e.g., WCDMA,CDMA2000, GSM, LTE, LTE-A, etc.) to establish a picocell or femtocell.As shown in FIG. 6, base station 616 may have a direct connection toInternet 610. Thus, base station 616 may not be required to accessInternet 610 via core network 606.

RAN 604 may be in communication with core network 606, which may be anytype of network configured to provide voice, data, applications, and/orvoice over internet protocol (VoIP) services to one or more WTRUs 602.For example, core network 606 may provide call control, billingservices, mobile location-based services, pre-paid calling, Internetconnectivity, video distribution or high-level security functions, suchas user authentication. Although not shown in FIG. 6, it will beappreciated that RAN 604 or core network 606 may be in direct orindirect communication with other RANs that employ the same RAT as RAN604 or a different RAT. For example, in addition to being connected toRAN 604, which may be utilizing an E-UTRA radio technology, core network606 may also be in communication with another RAN (not shown) employinga GSM radio technology.

Core network 606 may also serve as a gateway for WTRUs 602 to accessPSTN 608, Internet 610, or other networks 612. PSTN 608 may includecircuit-switched telephone networks that provide plain old telephoneservice (POTS). For LTE core networks, core network 606 may use IMS core614 to provide access to PSTN 608. Internet 610 may include a globalsystem of interconnected computer networks or devices that use commoncommunication protocols, such as the transmission control protocol(TCP), user datagram protocol (UDP), or IP in the TCP/IP internetprotocol suite. Other networks 612 may include wired or wirelesscommunications networks owned or operated by other service providers.For example, other networks 612 may include another core networkconnected to one or more RANs, which may employ the same RAT as RAN 604or a different RAT.

Some or all WTRUs 602 in telecommunication system 600 may includemulti-mode capabilities. That is, WTRUs 602 may include multipletransceivers for communicating with different wireless networks overdifferent wireless links. For example, one or more WTRUs 602 may beconfigured to communicate with base station 616, which may employ acellular-based radio technology, and with base station 616, which mayemploy an IEEE 802 radio technology.

FIG. 7 is an example system 700 including RAN 604 and core network 606.As noted above, RAN 604 may employ an E-UTRA radio technology tocommunicate with WTRUs 602 over air interface 614. RAN 604 may also bein communication with core network 606.

RAN 604 may include any number of eNode-Bs 702 while remainingconsistent with the disclosed technology. One or more eNode-Bs 702 mayinclude one or more transceivers for communicating with the WTRUs 602over air interface 614. Optionally, eNode-Bs 702 may implement MIMOtechnology. Thus, one of eNode-Bs 702, for example, may use multipleantennas to transmit wireless signals to, or receive wireless signalsfrom, one of WTRUs 602.

Each of eNode-Bs 702 may be associated with a particular cell (notshown) and may be configured to handle radio resource managementdecisions, handover decisions, scheduling of users in the uplink ordownlink, or the like. As shown in FIG. 7 eNode-Bs 702 may communicatewith one another over an X2 interface.

Core network 606 shown in FIG. 7 may include a mobility managementgateway or entity (MME) 704, a serving gateway 706, or a packet datanetwork (PDN) gateway 708. While each of the foregoing elements aredepicted as part of core network 606, it will be appreciated that anyone of these elements may be owned or operated by an entity other thanthe core network operator.

MME 704 may be connected to each of eNode-Bs 702 in RAN 604 via an S1interface and may serve as a control node. For example, MME 704 may beresponsible for authenticating users of WTRUs 602, bearer activation ordeactivation, selecting a particular serving gateway during an initialattach of WTRUs 602, or the like. MME 704 may also provide a controlplane function for switching between RAN 604 and other RANs (not shown)that employ other radio technologies, such as GSM or WCDMA.

Serving gateway 706 may be connected to each of eNode-Bs 702 in RAN 604via the S1 interface. Serving gateway 706 may generally route or forwarduser data packets to or from the WTRUs 602. Serving gateway 706 may alsoperform other functions, such as anchoring user planes duringinter-eNode B handovers, triggering paging when downlink data isavailable for WTRUs 602, managing or storing contexts of WTRUs 602, orthe like.

Serving gateway 706 may also be connected to PDN gateway 708, which mayprovide WTRUs 602 with access to packet-switched networks, such asInternet 610, to facilitate communications between WTRUs 602 andIP-enabled devices.

Core network 606 may facilitate communications with other networks. Forexample, core network 606 may provide WTRUs 602 with access tocircuit-switched networks, such as PSTN 608, such as through IMS core614, to facilitate communications between WTRUs 602 and traditionalland-line communications devices. In addition, core network 606 mayprovide the WTRUs 602 with access to other networks 612, which mayinclude other wired or wireless networks that are owned or operated byother service providers.

FIG. 8 illustrates an architecture of a typical GPRS network 900 asdescribed herein. The architecture depicted in FIG. 8 may be segmentedinto four groups: users 902, RAN 904, core network 906, and interconnectnetwork 908. Users 902 comprise a plurality of end users, who each mayuse one or more devices 910. Note that device 910 is referred to as amobile subscriber (MS) in the description of network shown in FIG. 8. Inan example, device 910 comprises a communications device (e.g., device120, network device 300, or the like, or any combination thereof). Radioaccess network 904 comprises a plurality of BSSs such as BSS 912, whichincludes a BTS 914 and a BSC 916. Core network 906 may include a host ofvarious network elements. As illustrated in FIG. 8, core network 906 maycomprise MSC 918, service control point (SCP) 920, gateway MSC (GMSC)922, SGSN 924, home location register (HLR) 926, authentication center(AuC) 928, domain name system (DNS) server 930, and GGSN 932.Interconnect network 908 may also comprise a host of various networks orother network elements. As illustrated in FIG. 8, interconnect network908 comprises a PSTN 934, an FES/Internet 936, a firewall 1038, or acorporate network 940.

An MSC can be connected to a large number of BSCs. At MSC 918, forinstance, depending on the type of traffic, the traffic may be separatedin that voice may be sent to PSTN 934 through GMSC 922, or data may besent to SGSN 924, which then sends the data traffic to GGSN 932 forfurther forwarding.

When MSC 918 receives call traffic, for example, from BSC 916, it sendsa query to a database hosted by SCP 920, which processes the request andissues a response to MSC 918 so that it may continue call processing asappropriate.

HLR 926 is a centralized database for users to register to the GPRSnetwork. HLR 926 stores static information about the subscribers such asthe International Mobile Subscriber Identity (IMSI), subscribedservices, or a key for authenticating the subscriber. HLR 926 alsostores dynamic subscriber information such as the current location ofthe MS. Associated with HLR 926 is AuC 928, which is a database thatcontains the algorithms for authenticating subscribers and includes theassociated keys for encryption to safeguard the user input forauthentication.

In the following, depending on context, “mobile subscriber” or “MS”sometimes refers to the end user and sometimes to the actual portabledevice, such as a mobile device, used by an end user of the mobilecellular service. When a mobile subscriber turns on his or her mobiledevice, the mobile device goes through an attach process by which themobile device attaches to an SGSN of the GPRS network. In FIG. 8, whenMS 910 initiates the attach process by turning on the networkcapabilities of the mobile device, an attach request is sent by MS 910to SGSN 924. The SGSN 924 queries another SGSN, to which MS 910 wasattached before, for the identity of MS 910. Upon receiving the identityof MS 910 from the other SGSN, SGSN 924 requests more information fromMS 910. This information is used to authenticate MS 910 together withthe information provided by HLR 926. Once verified, SGSN 924 sends alocation update to HLR 926 indicating the change of location to a newSGSN, in this case SGSN 924. HLR 926 notifies the old SGSN, to which MS910 was attached before, to cancel the location process for MS 910. HLR926 then notifies SGSN 924 that the location update has been performed.At this time, SGSN 924 sends an Attach Accept message to MS 910, whichin turn sends an Attach Complete message to SGSN 924.

Next, MS 910 establishes a user session with the destination network,corporate network 940, by going through a Packet Data Protocol (PDP)activation process. Briefly, in the process, MS 910 requests access tothe Access Point Name (APN), for example, UPS.com, and SGSN 924 receivesthe activation request from MS 910. SGSN 924 then initiates a DNS queryto learn which GGSN 932 has access to the UPS.com APN. The DNS query issent to a DNS server within core network 906, such as DNS server 930,which is provisioned to map to one or more GGSNs in core network 906.Based on the APN, the mapped GGSN 932 can access requested corporatenetwork 940. SGSN 924 then sends to GGSN 932 a Create PDP ContextRequest message that contains necessary information. GGSN 932 sends aCreate PDP Context Response message to SGSN 924, which then sends anActivate PDP Context Accept message to MS 910.

Once activated, data packets of the call made by MS 910 can then gothrough RAN 904, core network 906, and interconnect network 908, in aparticular FES/Internet 936 and firewall 1038, to reach corporatenetwork 940.

FIG. 9 illustrates a PLMN block diagram view of an example architecturethat may be replaced by a telecommunications system. In FIG. 9, solidlines may represent user traffic signals, and dashed lines may representsupport signaling. MS 1002 is the physical equipment used by the PLMNsubscriber. For example, device 120, vehicle 103, network device 300,the like, or any combination thereof may serve as MS 1002. MS 1002 maybe one of, but not limited to, a cellular telephone, a cellulartelephone in combination with another electronic device or any otherwireless mobile communication device.

MS 1002 may communicate wirelessly with BSS 1004. BSS 1004 contains BSC1006 and a BTS 1008. BSS 1004 may include a single BSC 1006/BTS 1008pair (base station) or a system of BSC/BTS pairs that are part of alarger network. BSS 1004 is responsible for communicating with MS 1002and may support one or more cells. BSS 1004 is responsible for handlingcellular traffic and signaling between MS 1002 and a core network 1010.Typically, BSS 1004 performs functions that include, but are not limitedto, digital conversion of speech channels, allocation of channels tomobile devices, paging, or transmission/reception of cellular signals.

Additionally, MS 1002 may communicate wirelessly with RNS 1012. RNS 1012contains a Radio Network Controller (RNC) 1014 and one or more Nodes B1016. RNS 1012 may support one or more cells. RNS 1012 may also includeone or more RNC 1014/Node B 1016 pairs or alternatively a single RNC1014 may manage multiple Nodes B 1016. RNS 1012 is responsible forcommunicating with MS 1002 in its geographically defined area. RNC 1014is responsible for controlling Nodes B 1016 that are connected to it andis a control element in a UMTS radio access network. RNC 1014 performsfunctions such as, but not limited to, load control, packet scheduling,handover control, security functions, or controlling MS 1002 access tocore network 1010.

An E-UTRA Network (E-UTRAN) 1018 is a RAN that provides wireless datacommunications for MS 1002 and UE 1024. E-UTRAN 1018 provides higherdata rates than traditional UMTS. It is part of the LTE upgrade formobile networks, and later releases meet the requirements of theInternational Mobile Telecommunications (IMT) Advanced and are commonlyknown as a 4G networks. E-UTRAN 1018 may include of series of logicalnetwork components such as E-UTRAN Node B (eNB) 1020 and E-UTRAN Node B(eNB) 1022. E-UTRAN 1018 may contain one or more eNBs. User equipment(UE) 1024 may be any mobile device capable of connecting to E-UTRAN 1018including, but not limited to, a personal computer, laptop, mobiledevice, wireless router, or other device capable of wirelessconnectivity to E-UTRAN 1018. The improved performance of the E-UTRAN1018 relative to a typical UMTS network allows for increased bandwidth,spectral efficiency, and functionality including, but not limited to,voice, high-speed applications, large data transfer or IPTV, while stillallowing for full mobility.

Typically MS 1002 may communicate with any or all of BSS 1004, RNS 1012,or E-UTRAN 1018. In a illustrative system, each of BSS 1004, RNS 1012,and E-UTRAN 1018 may provide MS 1002 with access to core network 1010.Core network 1010 may include of a series of devices that route data andcommunications between end users. Core network 1010 may provide networkservice functions to users in the circuit switched (CS) domain or thepacket switched (PS) domain. The CS domain refers to connections inwhich dedicated network resources are allocated at the time ofconnection establishment and then released when the connection isterminated. The PS domain refers to communications and data transfersthat make use of autonomous groupings of bits called packets. Eachpacket may be routed, manipulated, processed or handled independently ofall other packets in the PS domain and does not require dedicatednetwork resources.

The circuit-switched MGW function (CS-MGW) 1026 is part of core network1010, and interacts with VLR/MSC server 1028 and GMSC server 1030 inorder to facilitate core network 1010 resource control in the CS domain.Functions of CS-MGW 1026 include, but are not limited to, mediaconversion, bearer control, payload processing or other mobile networkprocessing such as handover or anchoring. CS-MGW 1026 may receiveconnections to MS 1002 through BSS 1004 or RNS 1012.

SGSN 1032 stores subscriber data regarding MS 1002 in order tofacilitate network functionality. SGSN 1032 may store subscriptioninformation such as, but not limited to, the IMSI, temporary identities,or PDP addresses. SGSN 1032 may also store location data such as, butnot limited to, GGSN address for each GGSN 1034 where an active PDPexists. GGSN 1034 may implement a location register function to storesubscriber data it receives from SGSN 1032 such as subscription orlocation data.

Serving gateway (S-GW) 1036 is an interface which provides connectivitybetween E-UTRAN 1018 and core network 1010. Functions of S-GW 1036include, but are not limited to, packet routing, packet forwarding,transport level packet processing, or user plane mobility anchoring forinter-network mobility. PCRF 1038 uses information gathered from P-GW1036, as well as other sources, to make applicable policy and chargingdecisions related to data flows, network resources or other networkadministration functions. PDN gateway (PDN-GW) 1040 may provideuser-to-services connectivity functionality including, but not limitedto, GPRS/EPC network anchoring, bearer session anchoring and control, orIP address allocation for PS domain connections.

HSS 1042 is a database for user information and stores subscription dataregarding MS 1002 or UE 1024 for handling calls or data sessions.Networks may contain one HSS 1042 or more if additional resources arerequired. Example data stored by HSS 1042 include, but is not limitedto, user identification, numbering or addressing information, securityinformation, or location data. HSS 1042 may also provide call or sessionestablishment procedures in both the PS and CS domains.

VLR/MSC Server 1028 provides user location functionality. When MS 1002enters a new network location, it begins a registration procedure. A MSCserver for that location transfers the location data to the VLR for thearea. A VLR and MSC server may be located in the same computingenvironment, as is shown by VLR/MSC server 1028, or alternatively may belocated in separate computing environments. A VLR may contain, but isnot limited to, user information such as the IMSI, the Temporary MobileStation Identity (TMSI), the Local Mobile Station Identity (LMSI), thelast known location of the mobile station, or the SGSN where the mobilestation was previously registered. The MSC server may containinformation such as, but not limited to, procedures for MS 1002registration or procedures for handover of MS 1002 to a differentsection of core network 1010. GMSC server 1030 may serve as a connectionto alternate GMSC servers for other MSs in larger networks.

EIR 1044 is a logical element which may store the IMEI for MS 1002. Userequipment may be classified as either “white listed” or “black listed”depending on its status in the network. If MS 1002 is stolen and put touse by an unauthorized user, it may be registered as “black listed” inEIR 1044, preventing its use on the network. A MME 1046 is a controlnode which may track MS 1002 or UE 1024 if the devices are idle.Additional functionality may include the ability of MME 1046 to contactidle MS 1002 or UE 1024 if retransmission of a previous session isrequired.

While examples of a telecommunications system in which packages can bemonitored have been described in connection with various computingdevices/processors, the underlying concepts may be applied to anycomputing device, processor, or system capable of facilitating atelecommunications system. The various techniques described herein maybe implemented in connection with hardware or software or, whereappropriate, with a combination of both. Thus, the methods and devicesmay take the form of program code (i.e., instructions) embodied inconcrete, tangible, storage media having a concrete, tangible, physicalstructure. Examples of tangible storage media include floppy diskettes,CD-ROMs, DVDs, hard drives, or any other tangible machine-readablestorage medium (computer-readable storage medium). Thus, acomputer-readable storage medium is not a signal. A computer-readablestorage medium is not a transient signal. Further, a computer-readablestorage medium is not a propagating signal. A computer-readable storagemedium as described herein is an article of manufacture. When theprogram code is loaded into and executed by a machine, such as acomputer, the machine becomes an device for telecommunications. In thecase of program code execution on programmable computers, the computingdevice will generally include a processor, a storage medium readable bythe processor (including volatile or nonvolatile memory or storageelements), at least one input device, and at least one output device.The program(s) can be implemented in assembly or machine language, ifdesired. The language can be a compiled or interpreted language, and maybe combined with hardware implementations.

The methods and devices associated with a telecommunications system asdescribed herein also may be practiced via communications embodied inthe form of program code that is transmitted over some transmissionmedium, such as over electrical wiring or cabling, through fiber optics,or via any other form of transmission, wherein, when the program code isreceived and loaded into and executed by a machine, such as an EPROM, agate array, a programmable logic device (PLD), a client computer, or thelike, the machine becomes an device for implementing telecommunicationsas described herein. When implemented on a general-purpose processor,the program code combines with the processor to provide a unique devicethat operates to invoke the functionality of a telecommunicationssystem.

While a telecommunications system has been described in connection withthe various examples of the various figures, it is to be understood thatother similar implementations may be used or modifications and additionsmay be made to the described examples of a telecommunications systemwithout deviating therefrom. For example, one skilled in the art willrecognize that a telecommunications system as described in the instantapplication may apply to any environment, whether wired or wireless, andmay be applied to any number of such devices connected via acommunications network and interacting across the network. Therefore, atelecommunications system as described herein should not be limited toany single example, but rather should be construed in breadth and scopein accordance with the appended claims.

What is claimed is:
 1. A device comprising: a processor having a trustedsecurity zone; trusted memory communicatively coupled to a secure areaof the processor to form a trusted execution environment (TEE) in whichtrusted applications operate, the trusted memory having a commonrepository; hardware isolating the TEE from an operating systemenvironment of the device; and memory storing instructions that causethe processor to effectuate operations, the operations comprising:receiving, from a first trusted application of the trusted applications,a first application data; storing the first application data in thecommon repository; determining, based on a policy module of the TEE,that a second trusted application of the trusted applications haspermission to access the first application data; allowing the secondtrusted application to access the first application data and to sharethe first application data with a cloud service of the second trustedapplication; and indicating, by the policy module to a network manager,requirements of a network slice of the network, wherein the networkmanager assigns, based on the requirements and metadata indicating thefirst application data is being accessed, the device to the networkslice of the network.
 2. The device of claim 1, further comprising:receiving, at the policy module, a request for a network manager of anetwork connected to the device to access the first application data;and allowing the network manager to access the first application databased on the policy module.
 3. The device of claim 1, wherein access tothe common repository is controlled by the policy module.
 4. The deviceof claim 1, wherein the policy module comprises a user preferenceregarding the access.
 5. The device of claim 1, wherein the firstapplication data comprises health data, the operations furthercomprising: determining, by the policy module, that the health data issubject to a legal protection; determining whether a user preferenceoverrides the legal protection with respect to the second trustedapplication; and based on the user preference overriding the legalprotection, granting the second trusted application access to the firstapplication data.
 6. The device of claim 1, wherein the policy modulecomprises a carrier-related policy regarding the first application data.7. The device of claim 1, wherein the policy module comprises aservice-agreed rule associated with the first trusted applicationrestricting access to the first application data.
 8. The device of claim1, wherein the network comprises a 5G network.
 9. The device of claim 1,wherein assigning the device to a network slice is further based onidentifying a network resource for providing a network service to thedevice.
 10. An apparatus comprising: a processor; trusted memorycommunicatively coupled to a secure area of the processor to form atrusted execution environment (TEE) in which trusted applicationsoperate, the trusted memory having a common repository; hardwareisolating the TEE from an operating system environment of the apparatus;and memory storing instructions that cause the processor to effectuateoperations, the operations comprising: receiving, from a first trustedapplication of the trusted applications, a first application data;storing the first application data in the common repository;determining, based on a policy module of the TEE, that a second trustedapplication of the trusted applications has permission to access thefirst application data; allowing the second trusted application toaccess the first application data; receiving, at the policy module, arequest for a network manager of a network connected to the apparatus toaccess the first application data; allowing, based on the policy module,the network manager to access the first application data; andindicating, by the policy module to the network manager, requirements ofa network slice of the network, wherein the network manager assigns,based on the requirements and metadata indicating the first applicationdata is being accessed, the apparatus to the network slice of thenetwork.
 11. The apparatus of claim 10, wherein allowing the secondtrusted application to access the first application data comprises:receiving, from the second trusted application, a request associatedwith the first application data; determining, based on the policymodule, that the first trusted application has permission to access thefirst application data; and based on the first trusted applicationhaving permission, permitting the first trusted application to accessthe first application data.
 12. The apparatus of claim 11, wherein thepolicy module comprises a user preference regarding the access.
 13. Theapparatus of claim 10, wherein the first application data compriseshealth data, the operations further comprising: determining, by thepolicy module, that the health data is subject to a legal protection;determining whether a user preference overrides the legal protectionwith respect to the second trusted application; and based on the userpreference overriding the legal protection, granting the second trustedapplication access to the first application data.
 14. The apparatus ofclaim 10, wherein the policy module comprises a carrier-related policyregarding the first application data.
 15. The apparatus of claim 10,wherein the policy module comprises a service-agreed rule associatedwith the first trusted application restricting access to the firstapplication data.
 16. The apparatus of claim 10, wherein the networkcomprises a 5G network.
 17. The apparatus of claim 10, wherein assigningthe apparatus to a network slice is further based on identifying anetwork resource for providing a network service to the apparatus.
 18. Anon-transitory computer readable storage medium that is storing computerexecutable instructions that when executed by a computing device causesaid computing device to effectuate operations comprising: receiving,from a first trusted application of the trusted applications, a firstapplication data; storing the first application data in commonrepository; determining, based on a policy module of a trusted executionenvironment (TEE), that a second trusted application of the trustedapplications has permission to access the first application data;allowing the second trusted application to access the first applicationdata and to share the first application data with a cloud service of thesecond trusted application; and indicating, by the policy module to anetwork manager, requirements of a network slice of the network, whereinthe network manager assigns, based on the requirements and metadataindicating the first application data is being accessed, the device tothe network slice of the network.
 19. The computer readable storagemedium of claim 18, the operations comprising: receiving, at the policymodule, a request for a network manager of a network connected to thedevice to access the first application data; and allowing the networkmanager to access the first application data based on the policy module.20. The computer readable storage medium of claim 18, wherein access tothe common repository is controlled by the policy module.